At 13:07 +0100 10/10/99, Alistair J. R. Young wrote:
>So, my speculation: I have my system have a capability-based kernel, but
>with a conventional ACL-type filesystem; and when the system boots, the
>kernel hands the first process a capability to a trusted process - call it
>aclmaster - which that process and its children can use their capability to
>request further ones from.
IBM's System 38, which evolved to AS/400, started out in this direction. I did not find their descriptive material sufficiently precise really understand the security implications of their system.
I have resisted efforts in this direction for the following incomplete reasons:
I fear that mixing ACL semantics and capability semantics yields their combined disadvantages. The security analyst must reason in two domains while the enemy has more options.
ACL's have deficient semantics. They seem implicitly to assume that all of the software employed to process certain data does just what the data owner wants it to do. The military computer security establishment would not accept this assumption and opted for mandatory security not because they mistrusted the user but because they had to mistrust the software that he used and which wielded his authority. This model is especially awkward where the data owner is the user.
If factory logic is employed to confine software within your computer (such as a data base system or word processor) that you don't trust, while it accesses your data, then the access arrangement put in place by the factory must persist while the program instance has access to your data. This arrangement must survive multiple reboots.
None of the above proves that a hybrid system cannot solve interesting
security problems. Some of my favorite problems seem to me to be insoluble
in a hybrid system.
Norman Hardy <http://www.mediacity.com/~norm>